Description
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
Published: 2026-06-03
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions prior to 9.5.2 are vulnerable to PHP Object Injection through unserialize() calls in several components, namely Workflow, Form block, and File/Set. An unauthenticated attacker who manages to inject a malicious serialized payload into the database can trigger arbitrary instantiation of PHP objects, which may lead to arbitrary code execution and full compromise of the system. This flaw is a classic case of unsafe deserialization (CWE‑502) that bypasses the allowed_classes restriction normally intended to restrict the classes that can be unserialized.

Affected Systems

The vulnerability applies to Concrete CMS installations running any version before 9.5.2. Users of the open‑source CMS must verify whether their instance is below this version and, if so, consider upgrading or applying remediation measures.

Risk and Exploitability

The CVSS score of 8.4 points to a high‑severity flaw that is relatively easy to exploit with low attack effort (AV:L, AC:L, AT:N). Because the attack does not require special privileges or an interactive user interface, the risk remains significant. The flaw is not listed in CISA’s KEV catalog, so no public exploit has been reported yet, yet the nature of PHP object injection means an attacker can instantiate arbitrary objects and execute arbitrary code once a malicious payload is present in the database. EPSS data is not provided, so the exploit likelihood cannot be quantified.

Generated by OpenCVE AI on June 3, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.2 or later, which removes the vulnerable unserialize() calls and restores the allowed_classes restriction.
  • If an upgrade is not immediately possible, configure the application to enforce allowed_classes in all unserialize() calls, ensuring only whitelisted classes can be deserialized.
  • Sanitize or purge existing database entries that may contain malicious serialized payloads, and consider adding input validation checks on forms and workflow components to reject unexpected object data.

Generated by OpenCVE AI on June 3, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Wed, 03 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
Title Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-06-03T19:07:56.723Z

Reserved: 2026-05-05T20:23:08.863Z

Link: CVE-2026-7888

cve-icon Vulnrichment

Updated: 2026-06-03T19:07:52.022Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T19:16:38.910

Modified: 2026-06-04T15:20:18.097

Link: CVE-2026-7888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T22:30:43Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data